CVE-2025-0601
Published: 17 March 2025
Summary
CVE-2025-0601 is a high-severity Cross-site Scripting (CWE-79) vulnerability in 3Ds 3Dexperience Enovia. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, testing, and deployment of patches or upgrades to remediate the specific stored XSS flaw in ENOVIA Issue Management as detailed in the vendor advisory.
Mandates filtering of information output from Issue Management to neutralize or remove malicious scripts before rendering in victims' browsers, directly countering stored XSS execution.
Enforces validation of inputs to Issue Management to block injection and storage of malicious script code by low-privileged attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables injection of scripts that execute in victim browser sessions, directly facilitating session cookie theft (T1539), browser session hijacking (T1185), and use of stolen web session cookies to impersonate users (T1550.004).
NVD Description
A stored Cross-site Scripting (XSS) vulnerability affecting Issue Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
Deeper analysisAI
CVE-2025-0601 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Issue Management component of ENOVIA Collaborative Industry Innovator. It affects releases from 3DEXPERIENCE R2022x through 3DEXPERIENCE R2024x. The flaw enables an attacker to inject and store malicious script code that executes in a victim's browser session upon interaction with affected content. Published on March 17, 2025, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality and integrity impacts.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) by storing a malicious payload in Issue Management, such as via issue creation or modification. Exploitation requires user interaction (UI:R), typically when a higher-privileged user views or interacts with the tainted issue, triggering the script in their browser. Successful execution allows the attacker to steal session cookies, manipulate page content, or perform actions on behalf of the victim, achieving high confidentiality and integrity impacts (C:H/I:H) with a changed scope (S:C) that may extend to other origins or resources.
Mitigation details are available in the vendor advisory at https://www.3ds.com/vulnerability/advisories, which security practitioners should consult for patching instructions, workarounds, or upgrade guidance specific to affected 3DEXPERIENCE releases.
Details
- CWE(s)